From: Thierry FOURNIER <thierry.fournier@ozon.io>
Date: Fri, 27 Oct 2017 12:13:51 +0000 (+0200)
Subject: BUG/MINOR: lua: const attribute of a string is overridden
X-Git-Tag: v1.8-rc1~210
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=7c210e6aa87365b9b87b9d7e904b41f860f278b9;p=thirdparty%2Fhaproxy.git

BUG/MINOR: lua: const attribute of a string is overridden

If HAProxy is compiled without PCRE regexes, this can cause
a write in const memory. The probability of a consequence is
very low.
---

diff --git a/src/hlua_fcn.c b/src/hlua_fcn.c
index c37e2a96eb..a5cae8676d 100644
--- a/src/hlua_fcn.c
+++ b/src/hlua_fcn.c
@@ -1119,11 +1119,22 @@ static int hlua_regex_exec(struct lua_State *L)
 	struct my_regex *regex;
 	const char *str;
 	size_t len;
+	struct chunk *tmp;
 
 	regex = hlua_check_regex(L, 1);
 	str = luaL_checklstring(L, 2, &len);
 
-	lua_pushboolean(L, regex_exec2(regex, (char *)str, len));
+	/* Copy the string because regex_exec2 require a 'char *'
+	 * and not a 'const char *'.
+	 */
+	tmp = get_trash_chunk();
+	if (len >= tmp->size) {
+		lua_pushboolean(L, 0);
+		return 1;
+	}
+	memcpy(tmp->str, str, len);
+
+	lua_pushboolean(L, regex_exec2(regex, tmp->str, len));
 
 	return 1;
 }
@@ -1136,11 +1147,22 @@ static int hlua_regex_match(struct lua_State *L)
 	regmatch_t pmatch[20];
 	int ret;
 	int i;
+	struct chunk *tmp;
 
 	regex = hlua_check_regex(L, 1);
 	str = luaL_checklstring(L, 2, &len);
 
-	ret = regex_exec_match2(regex, (char *)str, len, 20, pmatch, 0);
+	/* Copy the string because regex_exec2 require a 'char *'
+	 * and not a 'const char *'.
+	 */
+	tmp = get_trash_chunk();
+	if (len >= tmp->size) {
+		lua_pushboolean(L, 0);
+		return 1;
+	}
+	memcpy(tmp->str, str, len);
+
+	ret = regex_exec_match2(regex, tmp->str, len, 20, pmatch, 0);
 	lua_pushboolean(L, ret);
 	lua_newtable(L);
 	if (ret) {